Knative Secrets - Go

A simple web app written in Go that you can use for testing. It demonstrates how
to use a Kubernetes secret as a Volume with Knative. We will create a new Google
Service Account and place it into a Kubernetes secret, then we will mount it
into a container as a Volume.

Follow the steps below to create the sample code and then deploy the app to your
cluster. You can also download a working copy of the sample, by running the
following commands:

Before you begin

Docker installed and running on your local machine,
and a Docker Hub account configured (we’ll use it for a container registry).

Create a
Google Cloud project
and install the gcloud CLI and run gcloud auth login. This sample will use
a mix of gcloud and kubectl commands. The rest of the sample assumes that
you’ve set the $PROJECT_ID environment variable to your Google Cloud project
id, and also set your project ID as default using
gcloud config set project $PROJECT_ID.

Recreating the sample code

Create a new file named secrets.go and paste the following code. This code
creates a basic web server which listens on port 8080:

packagemainimport("context""fmt""log""net/http""os""cloud.google.com/go/storage")funcmain(){log.Print("Secrets sample started.")// This sets up the standard GCS storage client, which will pull
// credentials from GOOGLE_APPLICATION_CREDENTIALS if specified.
ctx:=context.Background()client,err:=storage.NewClient(ctx)iferr!=nil{log.Fatalf("Unable to initialize storage client: %v",err)}http.HandleFunc("/",func(whttp.ResponseWriter,r*http.Request){// This GCS bucket has been configured so that any authenticated
// user can access it (Read Only), so any Service Account can
// run this sample.
bkt:=client.Bucket("knative-secrets-sample")// Access the attributes of this GCS bucket, and write it back to the
// user. On failure, return a 500 and the error message.
attrs,err:=bkt.Attrs(ctx)iferr!=nil{http.Error(w,err.Error(),http.StatusInternalServerError)return}fmt.Fprintln(w,fmt.Sprintf("bucket %s, created at %s, is located in %s with storage class %s\n",attrs.Name,attrs.Created,attrs.Location,attrs.StorageClass))})port:=os.Getenv("PORT")ifport==""{port="8080"}log.Fatal(http.ListenAndServe(fmt.Sprintf(":%s",port),nil))}

In your project directory, create a file named Dockerfile and copy the code
block below into it. For detailed instructions on dockerizing a Go app, see
Deploying Go servers with Docker.

# Use the offical Golang image to create a build artifact.# This is based on Debian and sets the GOPATH to /go.# https://hub.docker.com/_/golang FROM golang as builder# Install dep RUN go get -u github.com/golang/dep/cmd/dep# Copy local code to the container image. WORKDIR /go/src/github.com/knative/docs/hellosecrets COPY . .# Fetch dependencies RUN dep init RUN dep ensure# Build the output command inside the container. RUN CGO_ENABLED=0GOOS=linux go build -v -o hellosecrets# Use a Docker multi-stage build to create a lean production image.# https://docs.docker.com/develop/develop-images/multistage-build/#use-multi-stage-builds FROM alpine# Enable the use of outbound https RUN apk add --no-cache ca-certificates# Copy the binary to the production image from the builder stage. COPY --from=builder /go/src/github.com/knative/docs/hellosecrets/hellosecrets /hellosecrets# Service must listen to $PORT environment variable.# This default value facilitates local development. ENV PORT 8080# Run the web service on container startup. CMD ["/hellosecrets"]

You can achieve a similar result by editting secret.yaml, copying the
contents of robot.json as instructed there, and running
kubectl apply --filename secret.yaml.

Create a new file, service.yaml and copy the following service definition
into the file. Make sure to replace {username} with your Docker Hub
username.

apiVersion:serving.knative.dev/v1alpha1kind:Servicemetadata:name:secrets-gonamespace:defaultspec:template:spec:containers:# Replace {username} with your DockerHub username-image:docker.io/{username}/secrets-goenv:# This directs the Google Cloud SDK to use the identity and project# defined by the Service Account (aka robot) in the JSON file at# this path.# - `/var/secret` is determined by the `volumeMounts[0].mountPath`# below. This can be changed if both places are changed.# - `robot.json` is determined by the "key" that is used to hold the# secret content in the Kubernetes secret. This can be changed# if both places are changed.-name:GOOGLE_APPLICATION_CREDENTIALSvalue:/var/secret/robot.json# This section specified where in the container we want the# volume containing our secret to be mounted.volumeMounts:-name:robot-secretmountPath:/var/secret# This section attaches the secret "google-robot-secret" to# the Pod holding the user container.volumes:-name:robot-secretsecret:secretName:google-robot-secret

Building and deploying the sample

Once you have recreated the sample code files (or used the files in the sample
folder) you’re ready to build and deploy the sample app.

Use Docker to build the sample code into a container. To build and push with
Docker Hub, run these commands replacing {username} with your Docker Hub
username:

After the build has completed and the container is pushed to docker hub, you
can deploy the app into your cluster. Ensure that the container image value
in service.yaml matches the container you built in the previous step. Apply
the configuration using kubectl:

kubectl apply --filename service.yaml

Now that your service is created, Knative will perform the following steps:

Automatically scale your pods up and down (including to zero active pods).

Run the following command to find the external IP address for your service.
The ingress IP for your cluster is returned. If you just created your
cluster, you might need to wait and rerun the command until your service gets
asssigned an external IP address.

# In Knative 0.2.x and prior versions, the `knative-ingressgateway` service was used instead of `istio-ingressgateway`.INGRESSGATEWAY=knative-ingressgateway
# The use of `knative-ingressgateway` is deprecated in Knative v0.3.x.# Use `istio-ingressgateway` instead, since `knative-ingressgateway`# will be removed in Knative v0.4.if kubectl get configmap config-istio -n knative-serving &> /dev/null;thenINGRESSGATEWAY=istio-ingressgateway
fi
kubectl get svc $INGRESSGATEWAY --namespace istio-system